CLAIMS 



1 . A system for detecting intrusion on a host, comprising: 

a) a source of rules; 

b) a source of facts; and 

c) an analysis engine in communication with the source of rules and source of facts, 
configured to apply forward- and backward-chaining using facts from the source 
of facts and rules from the source of rules. 

2. The system as recited in claim 1, wherein the analysis engine performs forward- 
chaining by using the facts to generate inferences using the rules, and the analysis 
engine is further configured to limit lengths of the forward-chaining. 

3. The system as recited in claim 2, wherein the analysis engine is configured to perform 
backward-chaining from a goal and produce at least one sub-goal. 

4. The system as recited in claim 3, wherein the analysis engine is configured to match 
an inference with the at least one sub-goal, and if there is a match, to trigger further 
backward-chaining from the at least one sub-goal. 

5. The system as recited in claim 3, wherein the analysis engine is configured to assign a 
score to the goal. 
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6. The system as recited in claim 4, wherein the score comprises at least one of a cost 
function, a confidence factor, a support value, and importance of the goal. 

7. The system as recited in claim 5, wherein the analysis engine is further configured to 
5 use continuations. 

The system as recited in claim 7, wherein the analysis engine is further configured to 
use the scores to select a goal to be pursued. 

The system as recited in claim 8, wherein the rules are configured to enable the 
system to detect an intrusion after occurrence of the intrusion. 

The system as recited in claim 9, wherein the rules are configured to cause the 
analysis engine to correlate and evaluate facts from a plurality of sources of facts. 

3 

The system as recited in claim 10, wherein the plurality of sources comprises 
primary, secondary, and indirect sources of facts. 

12. The system as recited in claim 10, wherein the rules are further configured to cause 
20 the analysis to collect, correlate, and evaluate facts related to all phases of an attack. 

13. The system as recited in claim 2, wherein the analysis engine is configured to 
correlate and evaluate incomplete facts to detect attacks with missing or forged facts. 
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14. The system as recited in claim 1, further comprising a user interface, wherein the 
analysis engine is configured to provide the user interface with an analysis based on 
the facts and rules, and provide the user interface with information relating to the 
analysis. 

15. The system as recited in claim 14, wherein the analysis engine is further configured to 
provide background information relating to the analysis. 

16. A method for detecting intrusions on a host, comprising the steps of: 

a) providing a source of rules and a source of facts; 

b) forward- and backward-chaining using facts from the source of facts and rules 
from the source of rules. 

17. A computer program product for detecting intrusions on a host, the computer program 
product being embodied in a computer readable medium having machine readable 
code embodied therein for performing the steps of: 

a) providing a source of rules and a source of facts; 

b) forward- and backward-chaining using facts from the source of facts and rules 
from the source of rules. 
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